Thursday, June 12, 2008

Information Security in three steps

Shrdlu writes an interesting post on how to explain to non-security people what it means to be secure. Three basic rules:

  1. Have control over your systems.
  2. Check your security frequently.
  3. Educate all your people.

This is an excellent summary.

Information security is about ensuring trust in data and data
processing. Trust is sometimes defined as "performing as previously
expected", and in order to be able to keep or attain a certain level of
"living up to expectation", control is absolutely required.

2 is a little harder; if security requires checking security, we might
have a circular reference that needs to be bootstrapped.

Rule 3
is another good one; if trust is indeed "performing as expected",
people need to know what they can expect (and cannot expect), but they
also need to know what is expected of them.  I would probably rewrite
these basic rules to

  1. Have control over data and systems
  2. Educate all users
  3. Independently assess the effectiveness of rule 1 and 2 regularly

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.